oysteikt/heimdal
0
0
Fork 0
Code Issues 5 Pull Requests Releases Activity

*** empty log message ***

Browse Source 
git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@4049 ec53bebd-3082-4978-b11e-865c3cabbd6b
This commit is contained in:
Assar Westerlund
1997-11-20 02:15:19 +00:00
parent 72856d3e44
commit 7bff6e2028
2 changed files with 348 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

174
doc/draft-foo3.ms Normal file
View File

@@ -0,0 +1,174 @@
.pl 10.0i
.po 0
.ll 7.2i
.lt 7.2i
.nr LL 7.2i
.nr LT 7.2i
.ds LF Westerlund, Danielsson
.ds RF [Page %]
.ds CF
.ds LH Internet Draft
.ds RH November, 1997
.ds CH Kerberos vs firewalls
.hy 0
.ad l
.in 0
.ta \n(.luR
.nf
Network Working Group Assar Westerlund
<draft-ietf-cat-krb5-firewalls.txt> SICS
Internet-Draft Johan Danielsson
November, 1997 PDC, KTH
Expire in six months
.ce
Kerberos vs firewalls
.ti 0
Status of this Memo
.in 3
This document is an Internet-Draft. Internet-Drafts are working
documents of the Internet Engineering Task Force (IETF), its
areas, and its working groups. Note that other groups may also
distribute working documents as Internet-Drafts.
Internet-Drafts are draft documents valid for a maximum of six
months and may be updated, replaced, or obsoleted by other
documents at any time. It is inappropriate to use Internet-
Drafts as reference material or to cite them other than as
"work in progress."
To view the entire list of current Internet-Drafts, please check
the "1id-abstracts.txt" listing contained in the Internet-Drafts
Shadow Directories on ftp.is.co.za (Africa), ftp.nordu.net
(Europe), munnari.oz.au (Pacific Rim), ds.internic.net (US East
Coast), or ftp.isi.edu (US West Coast).
Distribution of this memo is unlimited. Please send comments to the
<cat-ietf@mit.edu> mailing list.
.ti 0
Abstract
.in 3
.ti 0
Introduction
Kerberos is a protocol for authenticating parties communicating over
insecure networks.
Firewalling is a technique for achieving an illusion of security by
putting restrictions on what kinds of packets and how these are sent
between the internal (so called ``secure'') network and the global
Internet.
.ti 0
Definitions
types of firewalls: ...
client: the user, process, and host acquiring tickets from the KDC and
authenticating itself to the kerberised server.
KDC: the Kerberos Key Distribution Center
Kerberised server: the server using Kerberos to authenticate the
client, for example telnetd.
.ti 0
Scenarios
Here the different scenarios we have considered are described, the
problems they introduce and the proposed ways of solving them.
Combinations of these can also occur.
.ti 1
Client behind firewall
This is the most typical and common scenario. First of all the client
needs some way of communicating with the KDC. This can be done with
whatever means and is usually much simpler when the KDC is able to
communicate over TCP.
Apart from that, the client needs to be sure that the ticket it will
acquire from the KDC can be used to authenticate to a server outside
its firewall. For this, it needs to add the address(es) of potential
firewalls to the list of its own addresses when requesting the
ticket. We are not aware of any protocol for determining this set of
addresses, thus this will have to be manually configured in the
client.
With the ticket in possession, communication with the kerberised
server will not need to be any different from communicating between a
non-kerberised client and server.
.ti 1
KDC behind firewall
Once there is some way of getting the requests through the firewall to
the KDC and back to the requesting client there is nothing else that
can go wrong.
.ti 1
Kerberised server behind firewall
The kerberised server does not talk to the KDC at all so nothing
beyond normal firewall-traversal techniques for reaching the server
itself needs to be applied.
The kerberised server needs to be able to retrieve the original
address (before its firewall) that the request was sent for. If this
is done via some out-of-band mechanism or it's directly able to see it
doesn't matter.
.ti 0
Specification
.ti 0
Security considerations
.in 3
This memo does not introduce any known security considerations in
addition to those mentioned in [RFC1510].
.ti 0
References
.in 3
[RFC1510] Kohl, J. and Neuman, C., "The Kerberos Network
Authentication Service (V5)", RFC 1510, September 1993.
.ti 0
Authors' Addresses
Assar Westerlund
.br
Swedish Institute of Computer Science
.br
Box 1263
.br
S-164 29 KISTA
.br
Sweden
Phone: +46-8-7521526
.br
Fax: +46-8-7517230
.br
EMail: assar@sics.se
Johan Danielsson
.br
PDC, KTH
.br
S-100 44 STOCKHOLM
.br
Sweden
Phone: +46-8-7907885
.br
Fax: +46-8-247784
.br
EMail: joda@pdc.kth.se

174
doc/standardisation/draft-foo3.ms Normal file
View File

@@ -0,0 +1,174 @@
.pl 10.0i
.po 0
.ll 7.2i
.lt 7.2i
.nr LL 7.2i
.nr LT 7.2i
.ds LF Westerlund, Danielsson
.ds RF [Page %]
.ds CF
.ds LH Internet Draft
.ds RH November, 1997
.ds CH Kerberos vs firewalls
.hy 0
.ad l
.in 0
.ta \n(.luR
.nf
Network Working Group Assar Westerlund
<draft-ietf-cat-krb5-firewalls.txt> SICS
Internet-Draft Johan Danielsson
November, 1997 PDC, KTH
Expire in six months
.ce
Kerberos vs firewalls
.ti 0
Status of this Memo
.in 3
This document is an Internet-Draft. Internet-Drafts are working
documents of the Internet Engineering Task Force (IETF), its
areas, and its working groups. Note that other groups may also
distribute working documents as Internet-Drafts.
Internet-Drafts are draft documents valid for a maximum of six
months and may be updated, replaced, or obsoleted by other
documents at any time. It is inappropriate to use Internet-
Drafts as reference material or to cite them other than as
"work in progress."
To view the entire list of current Internet-Drafts, please check
the "1id-abstracts.txt" listing contained in the Internet-Drafts
Shadow Directories on ftp.is.co.za (Africa), ftp.nordu.net
(Europe), munnari.oz.au (Pacific Rim), ds.internic.net (US East
Coast), or ftp.isi.edu (US West Coast).
Distribution of this memo is unlimited. Please send comments to the
<cat-ietf@mit.edu> mailing list.
.ti 0
Abstract
.in 3
.ti 0
Introduction
Kerberos is a protocol for authenticating parties communicating over
insecure networks.
Firewalling is a technique for achieving an illusion of security by
putting restrictions on what kinds of packets and how these are sent
between the internal (so called ``secure'') network and the global
Internet.
.ti 0
Definitions
types of firewalls: ...
client: the user, process, and host acquiring tickets from the KDC and
authenticating itself to the kerberised server.
KDC: the Kerberos Key Distribution Center
Kerberised server: the server using Kerberos to authenticate the
client, for example telnetd.
.ti 0
Scenarios
Here the different scenarios we have considered are described, the
problems they introduce and the proposed ways of solving them.
Combinations of these can also occur.
.ti 1
Client behind firewall
This is the most typical and common scenario. First of all the client
needs some way of communicating with the KDC. This can be done with
whatever means and is usually much simpler when the KDC is able to
communicate over TCP.
Apart from that, the client needs to be sure that the ticket it will
acquire from the KDC can be used to authenticate to a server outside
its firewall. For this, it needs to add the address(es) of potential
firewalls to the list of its own addresses when requesting the
ticket. We are not aware of any protocol for determining this set of
addresses, thus this will have to be manually configured in the
client.
With the ticket in possession, communication with the kerberised
server will not need to be any different from communicating between a
non-kerberised client and server.
.ti 1
KDC behind firewall
Once there is some way of getting the requests through the firewall to
the KDC and back to the requesting client there is nothing else that
can go wrong.
.ti 1
Kerberised server behind firewall
The kerberised server does not talk to the KDC at all so nothing
beyond normal firewall-traversal techniques for reaching the server
itself needs to be applied.
The kerberised server needs to be able to retrieve the original
address (before its firewall) that the request was sent for. If this
is done via some out-of-band mechanism or it's directly able to see it
doesn't matter.
.ti 0
Specification
.ti 0
Security considerations
.in 3
This memo does not introduce any known security considerations in
addition to those mentioned in [RFC1510].
.ti 0
References
.in 3
[RFC1510] Kohl, J. and Neuman, C., "The Kerberos Network
Authentication Service (V5)", RFC 1510, September 1993.
.ti 0
Authors' Addresses
Assar Westerlund
.br
Swedish Institute of Computer Science
.br
Box 1263
.br
S-164 29 KISTA
.br
Sweden
Phone: +46-8-7521526
.br
Fax: +46-8-7517230
.br
EMail: assar@sics.se
Johan Danielsson
.br
PDC, KTH
.br
S-100 44 STOCKHOLM
.br
Sweden
Phone: +46-8-7907885
.br
Fax: +46-8-247784
.br
EMail: joda@pdc.kth.se